summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--common/build.mk6
-rw-r--r--core/cortex-m/build.mk1
-rw-r--r--include/config.h3
-rw-r--r--test/aes.c383
-rw-r--r--test/test_config.h1
-rw-r--r--third_party/boringssl/common/aes-gcm.c274
-rw-r--r--third_party/boringssl/core/cortex-m/ghash.S17
-rw-r--r--third_party/boringssl/include/aes-gcm.h96
8 files changed, 446 insertions, 335 deletions
diff --git a/common/build.mk b/common/build.mk
index eb03c46683..e834647562 100644
--- a/common/build.mk
+++ b/common/build.mk
@@ -19,6 +19,7 @@ common-$(CONFIG_ACCEL_KX022)+=math_util.o
ifneq ($(CORE),cortex-m)
common-$(CONFIG_AES)+=aes.o
endif
+common-$(CONFIG_AES_GCM)+=aes-gcm.o
common-$(CONFIG_CMD_ADC)+=adc.o
common-$(HAS_TASK_ALS)+=als.o
common-$(CONFIG_AP_HANG_DETECT)+=ap_hang_detect.o
@@ -162,6 +163,11 @@ $(out)/RW/common/rsa.o: CFLAGS+=-O3
$(out)/RO/common/rsa.o: CFLAGS+=-O3
endif
+# AES-GCM code needs C99, else we'd have to move many variables declarations
+# around.
+$(out)/RW/common/aes-gcm.o: CFLAGS+=-std=c99 -Wno-declaration-after-statement
+$(out)/RO/common/aes-gcm.o: CFLAGS+=-std=c99 -Wno-declaration-after-statement
+
ifneq ($(CONFIG_BOOTBLOCK),)
build-util-bin += gen_emmc_transfer_data
diff --git a/core/cortex-m/build.mk b/core/cortex-m/build.mk
index e86ba23c59..410ea028ee 100644
--- a/core/cortex-m/build.mk
+++ b/core/cortex-m/build.mk
@@ -24,6 +24,7 @@ endif
core-y=cpu.o init.o ldivmod.o llsr.o uldivmod.o vecttable.o
core-$(CONFIG_AES)+=aes.o
+core-$(CONFIG_AES_GCM)+=ghash.o
core-$(CONFIG_ARMV7M_CACHE)+=cache.o
core-$(CONFIG_COMMON_PANIC_OUTPUT)+=panic.o
core-$(CONFIG_COMMON_RUNTIME)+=switch.o task.o
diff --git a/include/config.h b/include/config.h
index bb666278aa..0d1fa01bc5 100644
--- a/include/config.h
+++ b/include/config.h
@@ -162,6 +162,9 @@
/* Support AES symmetric-key algorithm */
#undef CONFIG_AES
+/* Support AES-GCM */
+#undef CONFIG_AES_GCM
+
/*
* Some ALS modules may be connected to the EC. We need the command, and
* specific drivers for each module.
diff --git a/test/aes.c b/test/aes.c
index 18791cf7b7..0c50d80643 100644
--- a/test/aes.c
+++ b/test/aes.c
@@ -13,6 +13,7 @@
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#include "aes.h"
+#include "aes-gcm.h"
#include "console.h"
#include "common.h"
#include "test_util.h"
@@ -20,33 +21,399 @@
#include "util.h"
#include "watchdog.h"
+/* Temporary buffer, to avoid using too much stack space. */
+static uint8_t tmp[512];
+
+static int test_aes_gcm_raw(const uint8_t *key, int key_size,
+ const uint8_t *plaintext, const uint8_t *ciphertext, int plaintext_size,
+ const uint8_t *nonce, int nonce_size,
+ const uint8_t *tag, int tag_size) {
+
+ uint8_t *out = tmp;
+ static AES_KEY aes_key;
+ static GCM128_CONTEXT ctx;
+
+ TEST_ASSERT(plaintext_size <= sizeof(tmp));
+
+ TEST_ASSERT(AES_set_encrypt_key(key, 8 * key_size, &aes_key) == 0);
+
+ CRYPTO_gcm128_init(&ctx, &aes_key, (block128_f)AES_encrypt, 0);
+ CRYPTO_gcm128_setiv(&ctx, &aes_key, nonce, nonce_size);
+ CRYPTO_gcm128_encrypt(&ctx, &aes_key, plaintext, out, plaintext_size);
+ TEST_ASSERT(CRYPTO_gcm128_finish(&ctx, tag, tag_size));
+ TEST_ASSERT_ARRAY_EQ(ciphertext, out, plaintext_size);
+
+ CRYPTO_gcm128_setiv(&ctx, &aes_key, nonce, nonce_size);
+ memset(out, 0, plaintext_size);
+ CRYPTO_gcm128_decrypt(&ctx, &aes_key, ciphertext, out, plaintext_size);
+ TEST_ASSERT(CRYPTO_gcm128_finish(&ctx, tag, tag_size));
+ TEST_ASSERT_ARRAY_EQ(plaintext, out, plaintext_size);
+
+ return EC_SUCCESS;
+}
+
+static int test_aes_gcm(void)
+{
+ /*
+ * Test vectors from BoringSSL crypto/fipsmodule/modes/gcm_tests.txt
+ * (only the ones with actual data, and no additional data).
+ */
+ static const uint8_t key1[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ };
+ static const uint8_t plain1[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ };
+ static const uint8_t nonce1[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ };
+ static const uint8_t cipher1[] = {
+ 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
+ 0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78,
+ };
+ static const uint8_t tag1[] = {
+ 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd,
+ 0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf,
+ };
+
+ static const uint8_t key2[] = {
+ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+ 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+ };
+ static const uint8_t plain2[] = {
+ 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+ 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+ 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+ 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+ 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+ 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+ 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+ 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55,
+ };
+ static const uint8_t nonce2[] = {
+ 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+ 0xde, 0xca, 0xf8, 0x88,
+ };
+ static const uint8_t cipher2[] = {
+ 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+ 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+ 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+ 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+ 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+ 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+ 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+ 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85,
+ };
+ static const uint8_t tag2[] = {
+ 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
+ 0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4,
+ };
+
+ static const uint8_t key3[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ };
+ static const uint8_t plain3[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ };
+ static const uint8_t nonce3[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ };
+ static const uint8_t cipher3[] = {
+ 0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41,
+ 0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00,
+ };
+ static const uint8_t tag3[] = {
+ 0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,
+ 0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb,
+ };
+
+ static const uint8_t key4[] = {
+ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+ 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+ };
+ static const uint8_t plain4[] = {
+ 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+ 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+ 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+ 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+ 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+ 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+ 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+ 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55,
+ };
+ static const uint8_t nonce4[] = {
+ 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+ 0xde, 0xca, 0xf8, 0x88,
+ };
+ static const uint8_t cipher4[] = {
+ 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
+ 0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
+ 0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
+ 0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
+ 0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
+ 0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
+ 0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
+ 0xcc, 0xda, 0x27, 0x10, 0xac, 0xad, 0xe2, 0x56,
+ };
+ static const uint8_t tag4[] = {
+ 0x99, 0x24, 0xa7, 0xc8, 0x58, 0x73, 0x36, 0xbf,
+ 0xb1, 0x18, 0x02, 0x4d, 0xb8, 0x67, 0x4a, 0x14,
+ };
+
+ static const uint8_t key5[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ };
+ static const uint8_t plain5[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ };
+ static const uint8_t nonce5[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ };
+ static const uint8_t cipher5[] = {
+ 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e,
+ 0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18,
+ };
+ static const uint8_t tag5[] = {
+ 0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0,
+ 0x26, 0x5b, 0x98, 0xb5, 0xd4, 0x8a, 0xb9, 0x19,
+ };
+
+ static const uint8_t key6[] = {
+ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+ 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+ 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+ };
+ static const uint8_t plain6[] = {
+ 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+ 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+ 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+ 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+ 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+ 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+ 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+ 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55,
+ };
+ static const uint8_t nonce6[] = {
+ 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+ 0xde, 0xca, 0xf8, 0x88,
+ };
+ static const uint8_t cipher6[] = {
+ 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
+ 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
+ 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
+ 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
+ 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
+ 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
+ 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
+ 0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad,
+ };
+ static const uint8_t tag6[] = {
+ 0xb0, 0x94, 0xda, 0xc5, 0xd9, 0x34, 0x71, 0xbd,
+ 0xec, 0x1a, 0x50, 0x22, 0x70, 0xe3, 0xcc, 0x6c,
+ };
+
+ static const uint8_t key7[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ };
+ static const uint8_t plain7[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ };
+ /* This nonce results in 0xfff in counter LSB. */
+ static const uint8_t nonce7[] = {
+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ };
+ static const uint8_t cipher7[] = {
+ 0x56, 0xb3, 0x37, 0x3c, 0xa9, 0xef, 0x6e, 0x4a,
+ 0x2b, 0x64, 0xfe, 0x1e, 0x9a, 0x17, 0xb6, 0x14,
+ 0x25, 0xf1, 0x0d, 0x47, 0xa7, 0x5a, 0x5f, 0xce,
+ 0x13, 0xef, 0xc6, 0xbc, 0x78, 0x4a, 0xf2, 0x4f,
+ 0x41, 0x41, 0xbd, 0xd4, 0x8c, 0xf7, 0xc7, 0x70,
+ 0x88, 0x7a, 0xfd, 0x57, 0x3c, 0xca, 0x54, 0x18,
+ 0xa9, 0xae, 0xff, 0xcd, 0x7c, 0x5c, 0xed, 0xdf,
+ 0xc6, 0xa7, 0x83, 0x97, 0xb9, 0xa8, 0x5b, 0x49,
+ 0x9d, 0xa5, 0x58, 0x25, 0x72, 0x67, 0xca, 0xab,
+ 0x2a, 0xd0, 0xb2, 0x3c, 0xa4, 0x76, 0xa5, 0x3c,
+ 0xb1, 0x7f, 0xb4, 0x1c, 0x4b, 0x8b, 0x47, 0x5c,
+ 0xb4, 0xf3, 0xf7, 0x16, 0x50, 0x94, 0xc2, 0x29,
+ 0xc9, 0xe8, 0xc4, 0xdc, 0x0a, 0x2a, 0x5f, 0xf1,
+ 0x90, 0x3e, 0x50, 0x15, 0x11, 0x22, 0x13, 0x76,
+ 0xa1, 0xcd, 0xb8, 0x36, 0x4c, 0x50, 0x61, 0xa2,
+ 0x0c, 0xae, 0x74, 0xbc, 0x4a, 0xcd, 0x76, 0xce,
+ 0xb0, 0xab, 0xc9, 0xfd, 0x32, 0x17, 0xef, 0x9f,
+ 0x8c, 0x90, 0xbe, 0x40, 0x2d, 0xdf, 0x6d, 0x86,
+ 0x97, 0xf4, 0xf8, 0x80, 0xdf, 0xf1, 0x5b, 0xfb,
+ 0x7a, 0x6b, 0x28, 0x24, 0x1e, 0xc8, 0xfe, 0x18,
+ 0x3c, 0x2d, 0x59, 0xe3, 0xf9, 0xdf, 0xff, 0x65,
+ 0x3c, 0x71, 0x26, 0xf0, 0xac, 0xb9, 0xe6, 0x42,
+ 0x11, 0xf4, 0x2b, 0xae, 0x12, 0xaf, 0x46, 0x2b,
+ 0x10, 0x70, 0xbe, 0xf1, 0xab, 0x5e, 0x36, 0x06,
+ 0x87, 0x2c, 0xa1, 0x0d, 0xee, 0x15, 0xb3, 0x24,
+ 0x9b, 0x1a, 0x1b, 0x95, 0x8f, 0x23, 0x13, 0x4c,
+ 0x4b, 0xcc, 0xb7, 0xd0, 0x32, 0x00, 0xbc, 0xe4,
+ 0x20, 0xa2, 0xf8, 0xeb, 0x66, 0xdc, 0xf3, 0x64,
+ 0x4d, 0x14, 0x23, 0xc1, 0xb5, 0x69, 0x90, 0x03,
+ 0xc1, 0x3e, 0xce, 0xf4, 0xbf, 0x38, 0xa3, 0xb6,
+ 0x0e, 0xed, 0xc3, 0x40, 0x33, 0xba, 0xc1, 0x90,
+ 0x27, 0x83, 0xdc, 0x6d, 0x89, 0xe2, 0xe7, 0x74,
+ 0x18, 0x8a, 0x43, 0x9c, 0x7e, 0xbc, 0xc0, 0x67,
+ 0x2d, 0xbd, 0xa4, 0xdd, 0xcf, 0xb2, 0x79, 0x46,
+ 0x13, 0xb0, 0xbe, 0x41, 0x31, 0x5e, 0xf7, 0x78,
+ 0x70, 0x8a, 0x70, 0xee, 0x7d, 0x75, 0x16, 0x5c,
+ };
+ static const uint8_t tag7[] = {
+ 0x8b, 0x30, 0x7f, 0x6b, 0x33, 0x28, 0x6d, 0x0a,
+ 0xb0, 0x26, 0xa9, 0xed, 0x3f, 0xe1, 0xe8, 0x5f,
+ };
+
+ TEST_ASSERT(!test_aes_gcm_raw(key1, sizeof(key1),
+ plain1, cipher1, sizeof(plain1),
+ nonce1, sizeof(nonce1), tag1, sizeof(tag1)));
+ TEST_ASSERT(!test_aes_gcm_raw(key2, sizeof(key2),
+ plain2, cipher2, sizeof(plain2),
+ nonce2, sizeof(nonce2), tag2, sizeof(tag2)));
+ TEST_ASSERT(!test_aes_gcm_raw(key3, sizeof(key3),
+ plain3, cipher3, sizeof(plain3),
+ nonce3, sizeof(nonce3), tag3, sizeof(tag3)));
+ TEST_ASSERT(!test_aes_gcm_raw(key4, sizeof(key4),
+ plain4, cipher4, sizeof(plain4),
+ nonce4, sizeof(nonce4), tag4, sizeof(tag4)));
+ TEST_ASSERT(!test_aes_gcm_raw(key5, sizeof(key5),
+ plain5, cipher5, sizeof(plain5),
+ nonce5, sizeof(nonce5), tag5, sizeof(tag5)));
+ TEST_ASSERT(!test_aes_gcm_raw(key6, sizeof(key6),
+ plain6, cipher6, sizeof(plain6),
+ nonce6, sizeof(nonce6), tag6, sizeof(tag6)));
+ TEST_ASSERT(!test_aes_gcm_raw(key7, sizeof(key7),
+ plain7, cipher7, sizeof(plain7),
+ nonce7, sizeof(nonce7), tag7, sizeof(tag7)));
+
+ return EC_SUCCESS;
+}
+
+static void test_aes_gcm_speed(void)
+{
+ int i;
+ static const uint8_t key[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ };
+ const int key_size = sizeof(key);
+ static const uint8_t plaintext[512] = { 0 };
+ const int plaintext_size = sizeof(plaintext);
+ static const uint8_t nonce[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ };
+ const int nonce_size = sizeof(nonce);
+ uint8_t tag[12] = {0};
+ const int tag_size = sizeof(tag);
+
+ uint8_t *out = tmp;
+ static AES_KEY aes_key;
+ static GCM128_CONTEXT ctx;
+ timestamp_t t0, t1;
+
+ assert(plaintext_size <= sizeof(tmp));
+
+ t0 = get_time();
+ for (i = 0; i < 1000; i++) {
+ AES_set_encrypt_key(key, 8 * key_size, &aes_key);
+ CRYPTO_gcm128_init(&ctx, &aes_key, (block128_f)AES_encrypt, 0);
+ CRYPTO_gcm128_setiv(&ctx, &aes_key, nonce, nonce_size);
+ CRYPTO_gcm128_encrypt(&ctx, &aes_key, plaintext, out,
+ plaintext_size);
+ CRYPTO_gcm128_tag(&ctx, tag, tag_size);
+ }
+ t1 = get_time();
+ ccprintf("AES-GCM duration %ld us\n", t1.val - t0.val);
+}
+
static int test_aes_raw(const uint8_t *key, int key_size,
const uint8_t *plaintext, const uint8_t *ciphertext)
{
AES_KEY aes_key;
- uint8_t block[AES_BLOCK_SIZE];
+ uint8_t *block = tmp;
+
+ TEST_ASSERT(AES_BLOCK_SIZE <= sizeof(tmp));
TEST_ASSERT(AES_set_encrypt_key(key, 8 * key_size, &aes_key) == 0);
/* Test encryption. */
AES_encrypt(plaintext, block, &aes_key);
- TEST_ASSERT_ARRAY_EQ(ciphertext, block, sizeof(block));
+ TEST_ASSERT_ARRAY_EQ(ciphertext, block, AES_BLOCK_SIZE);
/* Test in-place encryption. */
memcpy(block, plaintext, AES_BLOCK_SIZE);
AES_encrypt(block, block, &aes_key);
- TEST_ASSERT_ARRAY_EQ(ciphertext, block, sizeof(block));
+ TEST_ASSERT_ARRAY_EQ(ciphertext, block, AES_BLOCK_SIZE);
TEST_ASSERT(AES_set_decrypt_key(key, 8 * key_size, &aes_key) == 0);
/* Test decryption. */
AES_decrypt(ciphertext, block, &aes_key);
- TEST_ASSERT_ARRAY_EQ(plaintext, block, sizeof(block));
+ TEST_ASSERT_ARRAY_EQ(plaintext, block, AES_BLOCK_SIZE);
/* Test in-place decryption. */
memcpy(block, ciphertext, AES_BLOCK_SIZE);
AES_decrypt(block, block, &aes_key);
- TEST_ASSERT_ARRAY_EQ(plaintext, block, sizeof(block));
+ TEST_ASSERT_ARRAY_EQ(plaintext, block, AES_BLOCK_SIZE);
return EC_SUCCESS;
}
@@ -140,5 +507,11 @@ void run_test(void)
watchdog_reload();
RUN_TEST(test_aes);
+ /* do not check result, just as a benchmark */
+ test_aes_gcm_speed();
+
+ watchdog_reload();
+ RUN_TEST(test_aes_gcm);
+
test_print_result();
}
diff --git a/test/test_config.h b/test/test_config.h
index 3833661af6..8a972f10c3 100644
--- a/test/test_config.h
+++ b/test/test_config.h
@@ -20,6 +20,7 @@
#ifdef TEST_AES
#define CONFIG_AES
+#define CONFIG_AES_GCM
#endif
#ifdef TEST_BASE32
diff --git a/third_party/boringssl/common/aes-gcm.c b/third_party/boringssl/common/aes-gcm.c
index 99d0e15e83..c9fa359aac 100644
--- a/third_party/boringssl/common/aes-gcm.c
+++ b/third_party/boringssl/common/aes-gcm.c
@@ -46,24 +46,41 @@
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ==================================================================== */
-#include <openssl/base.h>
+#include "aes-gcm.h"
+#include "common.h"
+#include "endian.h"
+#include "util.h"
-#include <assert.h>
-#include <string.h>
+#define STRICT_ALIGNMENT 1
-#include <openssl/mem.h>
-#include <openssl/cpu.h>
+#define OPENSSL_memcpy memcpy
+#define OPENSSL_memset memset
+#define CRYPTO_memcmp safe_memcmp
-#include "internal.h"
-#include "../../internal.h"
-
-#if !defined(OPENSSL_NO_ASM) && \
- (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
- defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) || \
- defined(OPENSSL_PPC64LE))
+#ifdef CORE_CORTEX_M
#define GHASH_ASM
+#define OPENSSL_ARM
+#define __ARM_ARCH__ 7
#endif
+static inline uint32_t CRYPTO_bswap4(uint32_t x) {
+ return __builtin_bswap32(x);
+}
+
+static inline uint64_t CRYPTO_bswap8(uint64_t x) {
+ return __builtin_bswap64(x);
+}
+
+static inline size_t load_word_le(const void *in) {
+ size_t v;
+ OPENSSL_memcpy(&v, in, sizeof(v));
+ return v;
+}
+
+static inline void store_word_le(void *out, size_t v) {
+ OPENSSL_memcpy(out, &v, sizeof(v));
+}
+
#define PACK(s) ((size_t)(s) << (sizeof(size_t) * 8 - 16))
#define REDUCE1BIT(V) \
do { \
@@ -283,13 +300,12 @@ void gcm_ghash_4bit_mmx(uint64_t Xi[2], const u128 Htable[16], const uint8_t *in
#endif
#elif defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
-#include <openssl/arm_arch.h>
#if __ARM_ARCH__ >= 7
#define GHASH_ASM_ARM
#define GCM_FUNCREF_4BIT
static int pmull_capable(void) {
- return CRYPTO_is_ARMv8_PMULL_capable();
+ return 0;
}
void gcm_init_v8(u128 Htable[16], const uint64_t Xi[2]);
@@ -297,7 +313,7 @@ void gcm_gmult_v8(uint64_t Xi[2], const u128 Htable[16]);
void gcm_ghash_v8(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
size_t len);
-#if defined(OPENSSL_ARM)
+#if defined(OPENSSL_ARM_NEON)
// 32-bit ARM also has support for doing GCM with NEON instructions.
static int neon_capable(void) {
return CRYPTO_is_NEON_capable();
@@ -313,14 +329,14 @@ static int neon_capable(void) {
return 0;
}
static void gcm_init_neon(u128 Htable[16], const uint64_t Xi[2]) {
- abort();
+
}
static void gcm_gmult_neon(uint64_t Xi[2], const u128 Htable[16]) {
- abort();
+
}
static void gcm_ghash_neon(uint64_t Xi[2], const u128 Htable[16],
const uint8_t *inp, size_t len) {
- abort();
+
}
#endif
@@ -344,11 +360,9 @@ void gcm_ghash_p8(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
#endif
#endif
-void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash,
- u128 *out_key, u128 out_table[16],
- int *out_is_avx,
- const uint8_t *gcm_key) {
- *out_is_avx = 0;
+static void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash,
+ u128 *out_key, u128 out_table[16],
+ const uint8_t *gcm_key) {
union {
uint64_t u[2];
@@ -426,11 +440,8 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, const void *aes_key,
OPENSSL_memset(gcm_key, 0, sizeof(gcm_key));
(*block)(gcm_key, gcm_key, aes_key);
- int is_avx;
- CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, &ctx->H, ctx->Htable, &is_avx,
+ CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, &ctx->H, ctx->Htable,
gcm_key);
-
- ctx->use_aesni_gcm_crypt = (is_avx && block_is_hwaes) ? 1 : 0;
}
void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const void *key,
@@ -807,215 +818,6 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const void *key,
return 1;
}
-int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const void *key,
- const uint8_t *in, uint8_t *out, size_t len,
- ctr128_f stream) {
- unsigned int n, ctr;
- uint64_t mlen = ctx->len.u[1];
-#ifdef GCM_FUNCREF_4BIT
- void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;
-#ifdef GHASH
- void (*gcm_ghash_p)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
- size_t len) = ctx->ghash;
-#endif
-#endif
-
- mlen += len;
- if (mlen > ((UINT64_C(1) << 36) - 32) ||
- (sizeof(len) == 8 && mlen < len)) {
- return 0;
- }
- ctx->len.u[1] = mlen;
-
- if (ctx->ares) {
- // First call to encrypt finalizes GHASH(AAD)
- GCM_MUL(ctx, Xi);
- ctx->ares = 0;
- }
-
- n = ctx->mres;
- if (n) {
- while (n && len) {
- ctx->Xi.c[n] ^= *(out++) = *(in++) ^ ctx->EKi.c[n];
- --len;
- n = (n + 1) % 16;
- }
- if (n == 0) {
- GCM_MUL(ctx, Xi);
- } else {
- ctx->mres = n;
- return 1;
- }
- }
-
-#if defined(AESNI_GCM)
- if (ctx->use_aesni_gcm_crypt) {
- // |aesni_gcm_encrypt| may not process all the input given to it. It may
- // not process *any* of its input if it is deemed too small.
- size_t bulk = aesni_gcm_encrypt(in, out, len, key, ctx->Yi.c, ctx->Xi.u);
- in += bulk;
- out += bulk;
- len -= bulk;
- }
-#endif
-
- ctr = CRYPTO_bswap4(ctx->Yi.d[3]);
-
-#if defined(GHASH)
- while (len >= GHASH_CHUNK) {
- (*stream)(in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
- ctr += GHASH_CHUNK / 16;
- ctx->Yi.d[3] = CRYPTO_bswap4(ctr);
- GHASH(ctx, out, GHASH_CHUNK);
- out += GHASH_CHUNK;
- in += GHASH_CHUNK;
- len -= GHASH_CHUNK;
- }
-#endif
- size_t i = len & kSizeTWithoutLower4Bits;
- if (i != 0) {
- size_t j = i / 16;
-
- (*stream)(in, out, j, key, ctx->Yi.c);
- ctr += (unsigned int)j;
- ctx->Yi.d[3] = CRYPTO_bswap4(ctr);
- in += i;
- len -= i;
-#if defined(GHASH)
- GHASH(ctx, out, i);
- out += i;
-#else
- while (j--) {
- for (i = 0; i < 16; ++i) {
- ctx->Xi.c[i] ^= out[i];
- }
- GCM_MUL(ctx, Xi);
- out += 16;
- }
-#endif
- }
- if (len) {
- (*ctx->block)(ctx->Yi.c, ctx->EKi.c, key);
- ++ctr;
- ctx->Yi.d[3] = CRYPTO_bswap4(ctr);
- while (len--) {
- ctx->Xi.c[n] ^= out[n] = in[n] ^ ctx->EKi.c[n];
- ++n;
- }
- }
-
- ctx->mres = n;
- return 1;
-}
-
-int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const void *key,
- const uint8_t *in, uint8_t *out, size_t len,
- ctr128_f stream) {
- unsigned int n, ctr;
- uint64_t mlen = ctx->len.u[1];
-#ifdef GCM_FUNCREF_4BIT
- void (*gcm_gmult_p)(uint64_t Xi[2], const u128 Htable[16]) = ctx->gmult;
-#ifdef GHASH
- void (*gcm_ghash_p)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
- size_t len) = ctx->ghash;
-#endif
-#endif
-
- mlen += len;
- if (mlen > ((UINT64_C(1) << 36) - 32) ||
- (sizeof(len) == 8 && mlen < len)) {
- return 0;
- }
- ctx->len.u[1] = mlen;
-
- if (ctx->ares) {
- // First call to decrypt finalizes GHASH(AAD)
- GCM_MUL(ctx, Xi);
- ctx->ares = 0;
- }
-
- n = ctx->mres;
- if (n) {
- while (n && len) {
- uint8_t c = *(in++);
- *(out++) = c ^ ctx->EKi.c[n];
- ctx->Xi.c[n] ^= c;
- --len;
- n = (n + 1) % 16;
- }
- if (n == 0) {
- GCM_MUL(ctx, Xi);
- } else {
- ctx->mres = n;
- return 1;
- }
- }
-
-#if defined(AESNI_GCM)
- if (ctx->use_aesni_gcm_crypt) {
- // |aesni_gcm_decrypt| may not process all the input given to it. It may
- // not process *any* of its input if it is deemed too small.
- size_t bulk = aesni_gcm_decrypt(in, out, len, key, ctx->Yi.c, ctx->Xi.u);
- in += bulk;
- out += bulk;
- len -= bulk;
- }
-#endif
-
- ctr = CRYPTO_bswap4(ctx->Yi.d[3]);
-
-#if defined(GHASH)
- while (len >= GHASH_CHUNK) {
- GHASH(ctx, in, GHASH_CHUNK);
- (*stream)(in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
- ctr += GHASH_CHUNK / 16;
- ctx->Yi.d[3] = CRYPTO_bswap4(ctr);
- out += GHASH_CHUNK;
- in += GHASH_CHUNK;
- len -= GHASH_CHUNK;
- }
-#endif
- size_t i = len & kSizeTWithoutLower4Bits;
- if (i != 0) {
- size_t j = i / 16;
-
-#if defined(GHASH)
- GHASH(ctx, in, i);
-#else
- while (j--) {
- size_t k;
- for (k = 0; k < 16; ++k) {
- ctx->Xi.c[k] ^= in[k];
- }
- GCM_MUL(ctx, Xi);
- in += 16;
- }
- j = i / 16;
- in -= i;
-#endif
- (*stream)(in, out, j, key, ctx->Yi.c);
- ctr += (unsigned int)j;
- ctx->Yi.d[3] = CRYPTO_bswap4(ctr);
- out += i;
- in += i;
- len -= i;
- }
- if (len) {
- (*ctx->block)(ctx->Yi.c, ctx->EKi.c, key);
- ++ctr;
- ctx->Yi.d[3] = CRYPTO_bswap4(ctr);
- while (len--) {
- uint8_t c = in[n];
- ctx->Xi.c[n] ^= c;
- out[n] = c ^ ctx->EKi.c[n];
- ++n;
- }
- }
-
- ctx->mres = n;
- return 1;
-}
-
int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const uint8_t *tag, size_t len) {
uint64_t alen = ctx->len.u[0] << 3;
uint64_t clen = ctx->len.u[1] << 3;
diff --git a/third_party/boringssl/core/cortex-m/ghash.S b/third_party/boringssl/core/cortex-m/ghash.S
index fafcb5c23b..a1eb97b9c5 100644
--- a/third_party/boringssl/core/cortex-m/ghash.S
+++ b/third_party/boringssl/core/cortex-m/ghash.S
@@ -8,12 +8,7 @@
@ in the file LICENSE in the source distribution or at
@ https://www.openssl.org/source/license.html
-#include <openssl/arm_arch.h>
-
-@ Silence ARMv8 deprecated IT instruction warnings. This file is used by both
-@ ARMv7 and ARMv8 processors and does not use ARMv8 instructions. (ARMv8 PMULL
-@ instructions are in aesv8-armx.pl.)
-.arch armv7-a
+#define __ARM_ARCH__ 7
.text
#if defined(__thumb2__) || defined(__clang__)
@@ -111,7 +106,7 @@ gcm_ghash_4bit:
#ifdef __thumb2__
it pl
#endif
- ldrplb r12,[r2,r3]
+ ldrbpl r12,[r2,r3]
eor r6,r6,r7,lsl#28
eor r7,r11,r7,lsr#4
@@ -124,7 +119,7 @@ gcm_ghash_4bit:
#ifdef __thumb2__
it pl
#endif
- ldrplb r8,[r0,r3]
+ ldrbpl r8,[r0,r3]
eor r4,r4,r5,lsl#28
eor r5,r9,r5,lsr#4
ldrh r9,[sp,r14]
@@ -180,7 +175,7 @@ gcm_ghash_4bit:
#ifdef __thumb2__
it ne
#endif
- ldrneb r12,[r2,#15]
+ ldrbne r12,[r2,#15]
#if __ARM_ARCH__>=7 && defined(__ARMEL__)
rev r6,r6
str r6,[r0,#4]
@@ -270,7 +265,7 @@ gcm_gmult_4bit:
#ifdef __thumb2__
it pl
#endif
- ldrplb r12,[r0,r3]
+ ldrbpl r12,[r0,r3]
eor r6,r6,r7,lsl#28
eor r7,r11,r7,lsr#4
@@ -363,7 +358,7 @@ gcm_gmult_4bit:
.word 0xe12fff1e @ interoperable with Thumb ISA:-)
#endif
.size gcm_gmult_4bit,.-gcm_gmult_4bit
-#if __ARM_MAX_ARCH__>=7
+#ifdef __ARM_NEON__
.arch armv7-a
.fpu neon
diff --git a/third_party/boringssl/include/aes-gcm.h b/third_party/boringssl/include/aes-gcm.h
index b2941fb317..e3ef457224 100644
--- a/third_party/boringssl/include/aes-gcm.h
+++ b/third_party/boringssl/include/aes-gcm.h
@@ -46,46 +46,12 @@
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ==================================================================== */
-#ifndef OPENSSL_HEADER_MODES_INTERNAL_H
-#define OPENSSL_HEADER_MODES_INTERNAL_H
+#ifndef __CROS_EC_AES_GCM_H
+#define __CROS_EC_AES_GCM_H
-#include <openssl/base.h>
-
-#include <string.h>
-
-#include "../../internal.h"
-
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
-
-#define STRICT_ALIGNMENT 1
-#if defined(OPENSSL_X86_64) || defined(OPENSSL_X86) || defined(OPENSSL_AARCH64)
-#undef STRICT_ALIGNMENT
-#define STRICT_ALIGNMENT 0
-#endif
-
-static inline uint32_t GETU32(const void *in) {
- uint32_t v;
- OPENSSL_memcpy(&v, in, sizeof(v));
- return CRYPTO_bswap4(v);
-}
-
-static inline void PUTU32(void *out, uint32_t v) {
- v = CRYPTO_bswap4(v);
- OPENSSL_memcpy(out, &v, sizeof(v));
-}
-
-static inline size_t load_word_le(const void *in) {
- size_t v;
- OPENSSL_memcpy(&v, in, sizeof(v));
- return v;
-}
-
-static inline void store_word_le(void *out, size_t v) {
- OPENSSL_memcpy(out, &v, sizeof(v));
-}
+#include "common.h"
+#include "endian.h"
+#include "util.h"
// block128_f is the type of a 128-bit, block cipher.
typedef void (*block128_f)(const uint8_t in[16], uint8_t out[16],
@@ -125,10 +91,6 @@ struct gcm128_context {
unsigned int mres, ares;
block128_f block;
-
- // use_aesni_gcm_crypt is true if this context should use the assembly
- // functions |aesni_gcm_encrypt| and |aesni_gcm_decrypt| to process data.
- unsigned use_aesni_gcm_crypt:1;
};
@@ -141,77 +103,45 @@ struct gcm128_context {
typedef struct gcm128_context GCM128_CONTEXT;
-// CRYPTO_ghash_init writes a precomputed table of powers of |gcm_key| to
-// |out_table| and sets |*out_mult| and |*out_hash| to (potentially hardware
-// accelerated) functions for performing operations in the GHASH field. If the
-// AVX implementation was used |*out_is_avx| will be true.
-void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash,
- u128 *out_key, u128 out_table[16], int *out_is_avx,
- const uint8_t *gcm_key);
-
// CRYPTO_gcm128_init initialises |ctx| to use |block| (typically AES) with
// the given key. |block_is_hwaes| is one if |block| is |aes_hw_encrypt|.
-OPENSSL_EXPORT void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, const void *key,
+void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, const void *key,
block128_f block, int block_is_hwaes);
// CRYPTO_gcm128_setiv sets the IV (nonce) for |ctx|. The |key| must be the
// same key that was passed to |CRYPTO_gcm128_init|.
-OPENSSL_EXPORT void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const void *key,
+void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const void *key,
const uint8_t *iv, size_t iv_len);
// CRYPTO_gcm128_aad sets the authenticated data for an instance of GCM.
// This must be called before and data is encrypted. It returns one on success
// and zero otherwise.
-OPENSSL_EXPORT int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const uint8_t *aad,
+int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const uint8_t *aad,
size_t len);
// CRYPTO_gcm128_encrypt encrypts |len| bytes from |in| to |out|. The |key|
// must be the same key that was passed to |CRYPTO_gcm128_init|. It returns one
// on success and zero otherwise.
-OPENSSL_EXPORT int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const void *key,
+int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const void *key,
const uint8_t *in, uint8_t *out,
size_t len);
// CRYPTO_gcm128_decrypt decrypts |len| bytes from |in| to |out|. The |key|
// must be the same key that was passed to |CRYPTO_gcm128_init|. It returns one
// on success and zero otherwise.
-OPENSSL_EXPORT int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const void *key,
+int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const void *key,
const uint8_t *in, uint8_t *out,
size_t len);
-// CRYPTO_gcm128_encrypt_ctr32 encrypts |len| bytes from |in| to |out| using
-// a CTR function that only handles the bottom 32 bits of the nonce, like
-// |CRYPTO_ctr128_encrypt_ctr32|. The |key| must be the same key that was
-// passed to |CRYPTO_gcm128_init|. It returns one on success and zero
-// otherwise.
-OPENSSL_EXPORT int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
- const void *key,
- const uint8_t *in, uint8_t *out,
- size_t len, ctr128_f stream);
-
-// CRYPTO_gcm128_decrypt_ctr32 decrypts |len| bytes from |in| to |out| using
-// a CTR function that only handles the bottom 32 bits of the nonce, like
-// |CRYPTO_ctr128_encrypt_ctr32|. The |key| must be the same key that was
-// passed to |CRYPTO_gcm128_init|. It returns one on success and zero
-// otherwise.
-OPENSSL_EXPORT int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
- const void *key,
- const uint8_t *in, uint8_t *out,
- size_t len, ctr128_f stream);
-
// CRYPTO_gcm128_finish calculates the authenticator and compares it against
// |len| bytes of |tag|. It returns one on success and zero otherwise.
-OPENSSL_EXPORT int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const uint8_t *tag,
+int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const uint8_t *tag,
size_t len);
// CRYPTO_gcm128_tag calculates the authenticator and copies it into |tag|.
// The minimum of |len| and 16 bytes are copied into |tag|.
-OPENSSL_EXPORT void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, uint8_t *tag,
+void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, uint8_t *tag,
size_t len);
-#if defined(__cplusplus)
-} // extern C
-#endif
-
-#endif // OPENSSL_HEADER_MODES_INTERNAL_H
+#endif // __CROS_EC_AES_GCM_H